S0324 SpyDealer
SpyDealer is Android malware that exfiltrates sensitive data from Android devices. 1
| Item | Value |
|---|---|
| ID | S0324 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Audio Capture | SpyDealer can record phone calls and surrounding audio.1 |
| mobile | T1645 | Compromise Client Software Binary | SpyDealer maintains persistence by installing an Android application package (APK) on the system partition.1 |
| mobile | T1407 | Download New Code at Runtime | SpyDealer downloads and executes root exploits from a remote server.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | SpyDealer registers the broadcast receiver to listen for events related to device boot-up.1 |
| mobile | T1404 | Exploitation for Privilege Escalation | SpyDealer uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.1 |
| mobile | T1430 | Location Tracking | SpyDealer harvests location data from victims.1 |
| mobile | T1644 | Out of Band Data | SpyDealer enables remote control of the victim through SMS channels.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | SpyDealer harvests phone call history from victims.1 |
| mobile | T1636.003 | Contact List | SpyDealer harvests contact lists from victims.1 |
| mobile | T1636.004 | SMS Messages | SpyDealer harvests SMS and MMS messages from victims.1 |
| mobile | T1513 | Screen Capture | SpyDealer abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.1 |
| mobile | T1409 | Stored Application Data | SpyDealer exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.1 |
| mobile | T1422 | System Network Configuration Discovery | SpyDealer harvests the device phone number, IMEI, and IMSI.1 |
| mobile | T1512 | Video Capture | SpyDealer can record video and take photos via front and rear cameras.1 |